This blog is divided into two sections:
Part 1: Golden SAML Attack : Attack Breakdown
Part 2: Hands-On Threat-Hunting Lab — Practice Golden SAML Detection Using the Free SIEM Environment Provided (Current)

If you’re new here, I’m building a hands-on SOC series where you can practice real investigations in my SIEM.
This is Part 2 of the Golden SAML series — check out Part 1 to learn the attack details.
You’ll need access to the free SIEM environment for this lab. If you already have it, welcome back! Otherwise, request access using the link below.

New reader SIEM access request : Please Click Here !!

🔬 1. Hypothesis

“An attacker has leveraged the theft of the AD FS token-signing certificate to forge SAML tokens and authenticate as a privileged Azure AD account. We suspect persistence via OAuth applications, mailbox access, and potential data exfiltration.”

This hypothesis anchors the entire investigation.
Readers must test whether the log data and alerts support (or refute) this claim.

🗺️ 2. MITRE ATT&CK Mapping

Here’s how each phase of the Golden SAML activity aligns with the MITRE ATT&CK framework.
This helps you understand exactly which adversary techniques are in play throughout the attack chain.

🔔 3. Alerts Generated (75 Alerts Across 9 Detection Rules)

In order to see the alert, please click this link or go to the SIEM and then go to Alert and match the time range mentioned above.

🔍 4. Investigation Steps (Correct Findings)

This is where the student becomes a SOC analyst.

You can use discover with following settings for getting all the logs you need for investigation:

Step 1 — Start With Certificate Theft Alerts

• Look for early AD FS activity
• Identify certificate export event(s)
• Extract the fingerprint for pivoting

Step 2 — Pivot on the Token Thumbprint

Search logs for:

tokenIssuerThumbprint: <stolen_thumbprint>

This uncovers all forged SAML sign-ins.

Step 3 — Investigate Privileged Sign-ins

• Global Admin logging in from a foreign IP
• Authentication method = Federated, requirement = Single Factor
• Unexpected or untrusted tokenIssuerName

Step 4 — Look for Persistence via OAuth Apps

Search for new service principals with suspicious permissions.

Step 5 — Inspect Mailbox Access

Identify mailbox access using OAuth service principal identities.

Step 6 — Check for Exfiltration

Look for inbox rules that forward to external domains.

Step 7 — Map Graph Recon

Locate broad Graph API queries that enumerate:

• Users
• Groups
• DirectoryRoles
• ServicePrincipals
• Mailboxes

This completes the timeline that proves the attacker achieved persistence and reconnaissance.

🧩 5. Threat Hunting and Final Task for the Reader: Build a Correlation Rule

As you investigate alerts, you can document your findings directly in an Elastic SIEM case. I’ve created a case template for this lab that also includes helpful threat-hunting queries. Feel free to use it — I’ll be reviewing all submitted cases, so if you have questions, add them directly inside your case.

Here’s your final challenge:

“Write a detection rule that correlates certificate theft → forged SAML tokens → OAuth persistence → mailbox access → exfiltration → Graph recon.”

The rule should:

✔ Combine multiple alerts

✔ Span a realistic timeframe (20–60 min)

✔ Use userPrincipalName, tokenIssuer, IP, and servicePrincipalId as pivots

✔ Detect the sequence of Golden SAML behaviors

You may choose:

• EQL sequence rule
• KQL with joins + event sequence
• Timeline-based detection
• Custom rule logic in Elastic Security

Goal:
Detect Golden SAML as a full attack chain, not as isolated alerts.

📁 6. Add Findings to the Case Template

Use the provided case template to:

• Document every alert you found
• Attach screenshots of your Timeline
• Explain the reconstructed attack path
• Paste your correlation rule
• Summarize your conclusions as a SOC analyst

When complete, your case should look like a real incident-response briefing.